- Prevention of unauthorised access to the system
- Detection unauthorised access to the system
- Management of access to the system.
- Segregration of duties should not be compromised.
- Unique user identification
- Require users to sign statements indicating understanding of their access rights
- Granted of access dependent on suitable level of Authorisation including the system owner - extra scrutiny around requests > standard profiles.
- Regular review of rights with redundant user IDs and accounts removed
However, given that higher levels of security come at a cost, the level of access security should be determined on the basis of a risk assessment.
A number of access security devices can be employed, but a basic log-on procedure should have the following features.
- Warning notice
- No help to users
- Validation only on completion of all input data
- Limited number of attempts
- Record unsuccessful attempts
- Enforce time delay between failed attempts
Enhanced features may include encryption.
Managing a large number of users' access rights is a costly process which explains the use of standard user profiles.